taiga
/
taiga-back
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Updating permissions for supporting public projects

remotes/origin/enhancement/email-actions
Alejandro Alonso 2015-02-05 14:00:21 +01:00 committed by David Barragán Merino
parent efc666c793
commit 79e9682531
4 changed files with 49 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
taiga/base/filters.py
View File

@ -212,7 +212,7 @@ class CanViewProjectObjFilterBackend(FilterBackend):
qs = qs.filter((Q(id__in=projects_list) |
Q(public_permissions__contains=["view_project"])))
else:
qs = qs.filter(public_permissions__contains=["view_project"])
qs = qs.filter(anon_permissions__contains=["view_project"])
return super().filter_queryset(request, qs.distinct(), view)
@ -229,22 +229,49 @@ class IsProjectMemberFilterBackend(FilterBackend):
return super().filter_queryset(request, queryset.distinct(), view)
class MembersFilterBackend(filters.BaseFilterBackend):
class MembersFilterBackend(PermissionBasedFilterBackend):
permission = "view_project"
def filter_queryset(self, request, queryset, view):
project_id = request.QUERY_PARAMS.get('project', None)
project_id = None
project = None
qs = queryset
if "project" in request.QUERY_PARAMS:
try:
project_id = int(request.QUERY_PARAMS["project"])
except:
logger.error("Filtering project diferent value than an integer: {}".format(request.QUERY_PARAMS["project"]))
raise exc.BadRequest("'project' must be an integer value.")
if project_id:
project_model = apps.get_model('projects', 'Project')
project = get_object_or_404(project_model, pk=project_id)
if (request.user.is_authenticated() and
project.memberships.filter(user=request.user).exists()):
return queryset.filter(memberships__project=project).distinct()
else:
raise exc.PermissionDenied(_("You don't have permisions to see this project users."))
Project = apps.get_model('projects', 'Project')
project = get_object_or_404(Project, pk=project_id)
if request.user.is_superuser:
return queryset
if request.user.is_authenticated() and request.user.is_superuser:
qs = qs
elif request.user.is_authenticated():
memberships_qs = Membership.objects.filter(user=request.user)
if project_id:
memberships_qs = memberships_qs.filter(project_id=project_id)
memberships_qs = memberships_qs.filter(Q(role__permissions__contains=[self.permission]) |
Q(is_owner=True))
return []
projects_list = [membership.project_id for membership in memberships_qs]
if project and not "view_project" in project.public_permissions:
qs = qs.none()
qs = qs.filter(Q(memberships__project_id__in=projects_list) |
Q(memberships__project__public_permissions__contains=[self.permission])|
Q(id=request.user.id))
else:
if project and not "view_project" in project.anon_permissions:
qs = qs.none()
qs = qs.filter(memberships__project__anon_permissions__contains=[self.permission])
return qs.distinct()
class BaseIsProjectAdminFilterBackend(object):

6
taiga/projects/permissions.py
View File

@ -52,12 +52,12 @@ class ProjectPermission(TaigaResourcePermission):
destroy_perms = IsProjectOwner()
modules_perms = IsProjectOwner()
list_perms = AllowAny()
stats_perms = AllowAny()
stats_perms = HasProjectPerm('view_project')
member_stats_perms = HasProjectPerm('view_project')
star_perms = IsAuthenticated()
unstar_perms = IsAuthenticated()
issues_stats_perms = AllowAny()
issues_filters_data_perms = AllowAny()
issues_stats_perms = HasProjectPerm('view_project')
issues_filters_data_perms = HasProjectPerm('view_project')
tags_perms = HasProjectPerm('view_project')
tags_colors_perms = HasProjectPerm('view_project')
fans_perms = HasProjectPerm('view_project')

6
taiga/users/api.py
View File

@ -30,6 +30,7 @@ from taiga.auth.tokens import get_user_for_token
from taiga.base.decorators import list_route
from taiga.base.decorators import detail_route
from taiga.base.api import ModelCrudViewSet
from taiga.base.filters import PermissionBasedFilterBackend
from taiga.base.api.utils import get_object_or_404
from taiga.base.filters import MembersFilterBackend
from taiga.projects.votes import services as votes_service
@ -46,14 +47,11 @@ from . import permissions
from .signals import user_cancel_account as user_cancel_account_signal
######################################################
## User
######################################################
class UsersViewSet(ModelCrudViewSet):
permission_classes = (permissions.UserPermission,)
serializer_class = serializers.UserSerializer
queryset = models.User.objects.all()
filter_backends = (MembersFilterBackend,)
def create(self, *args, **kwargs):
raise exc.NotSupported()

8
tests/integration/resources_permissions/test_users_resources.py
View File

@ -86,7 +86,7 @@ def test_user_delete(client, data):
]
results = helper_test_http_method(client, 'delete', url, None, users)
assert results == [401, 403, 204]
assert results == [404, 404, 204]
def test_user_list(client, data):
@ -101,14 +101,14 @@ def test_user_list(client, data):
response = client.get(url)
users_data = json.loads(response.content.decode('utf-8'))
assert len(users_data) == 0
assert len(users_data) == 1
assert response.status_code == 200
client.login(data.other_user)
response = client.get(url)
users_data = json.loads(response.content.decode('utf-8'))
assert len(users_data) == 0
assert len(users_data) == 1
assert response.status_code == 200
client.login(data.superuser)
@ -146,7 +146,7 @@ def test_user_patch(client, data):
patch_data = json.dumps({"full_name": "test"})
results = helper_test_http_method(client, 'patch', url, patch_data, users)
assert results == [401, 200, 403, 200]
assert results == [404, 200, 404, 200]
def test_user_action_change_password(client, data):